Description
The Post Category Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'postcategorygallery' shortcode in versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes (such as total_width, color_scheme, and caption_font_size) inside the sc_horcatbar() function, which are concatenated directly into HTML attribute values. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Post Category Gallery plugin for WordPress is vulnerable to stored cross‑site scripting because it concatenates user‑supplied shortcode attributes directly into HTML attributes without adequate sanitization or escaping. This flaw allows an authenticated user with contributor‑level permissions to inject arbitrary JavaScript that will run whenever a page containing the malicious shortcode is loaded. The underlying weakness is a classic input validation issue defined as CWE‑79.

Affected Systems

This flaw affects sites that have installed the Fides IT Post Categories Gallery plugin for WordPress, any version through and including 1.0.0. No other product versions are listed as affected.

Risk and Exploitability

The CVSS score of 6.4 indicates a medium impact, and no EPSS data is available, suggesting no current evidence of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authentication and contributor privileges; an attacker would need to add or edit a post containing the postcategorygallery shortcode, then supply crafted attribute values that are stored in the database. Once stored, the malicious script executes whenever a user views the affected page.

Generated by OpenCVE AI on May 27, 2026 at 07:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of the Post Categories Gallery plugin or uninstall the plugin if no update is available.
  • Remove all existing instances of the 'postcategorygallery' shortcode from posts and pages to eliminate stored malicious attributes.
  • Restrict contributor-level users from adding or editing shortcodes by adjusting role capabilities or deploying a security plugin that blocks shortcode insertion.

Generated by OpenCVE AI on May 27, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Fides-it
Fides-it post Categories Gallery
Wordpress
Wordpress wordpress
Vendors & Products Fides-it
Fides-it post Categories Gallery
Wordpress
Wordpress wordpress

Wed, 27 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Post Category Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'postcategorygallery' shortcode in versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes (such as total_width, color_scheme, and caption_font_size) inside the sc_horcatbar() function, which are concatenated directly into HTML attribute values. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Post Categories Gallery <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Fides-it Post Categories Gallery
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:31:03.831Z

Reserved: 2026-05-18T20:16:13.330Z

Link: CVE-2026-8867

cve-icon Vulnrichment

Updated: 2026-05-27T10:30:58.791Z

cve-icon NVD

Status : Received

Published: 2026-05-27T07:16:16.103

Modified: 2026-05-27T07:16:16.103

Link: CVE-2026-8867

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:06:46Z

Weaknesses